Issuers innovate to thwart cybercriminals, but the shift to mobile puts the onus on merchants to step up against card-not-present fraud.
In-person card purchases are more secure nowadays, but now the main battlefront in the fight against fraud is e-commerce.
The shift to EMV credit cards has reduced fraudulent card-present transactions, such as when you pay with your card at a restaurant or retail location. A June 2018 Visa study showed the EMV shift led to a 75 percent drop in counterfeit credit card fraud from December 2015 to March 2018.
But the bad news is that identity thieves are now targeting card-not-present (CNP) transactions – purchases made online, over the phone or by mail or fax.
“Fraudsters don’t really retire; they just change their tactics,” says Don Bush, vice president of marketing for Kount, a company that makes anti-fraud and identity verification technology for financial services and other industries.
Chip technology makes it harder to counterfeit a credit card, but EMV doesn’t prevent criminals from using stolen credit card numbers online. And criminals are exploiting this vulnerability. UK-based Juniper Research predicts retailers could lose as much as $71 billion worldwide from fraudulent CNP transactions between 2017 and 2022.
If you discover a fraudulent charge on your credit card statement, you can file a dispute with the issuer and get it reversed. However, the retailer may be held liable and eat the cost of lost merchandise and the reversed charge.
Identity theft is a pain to consumers and can wreak havoc on merchants, but it’s far from a lost cause. Here’s how credit card brands and merchants are fighting back against card-not-present fraud.
See related: FICO’s Scott Zoldi: Card-not-present fraud a growing threat
Card networks use cybersecurity teams, software to fight fraud
Earlier this year, investigators from Mastercard and Visa helped law enforcement track down members of cybercrime group FIN7, which has stolen millions of credit card numbers. That investigation led to the arrest of three senior members of the group, all Ukrainian nationals.
Penny Lane, vice president of payment fraud disruption at Visa, leads a team of professionals working to disrupt cybercrime. Preventing enumeration attacks – where criminals use computing power to iterate through all possible combinations of credit card numbers until they find legitimate ones – is one area of focus for her team.
Lane says cybercriminals also abuse security risks, such as when an online merchant doesn’t require users to enter a CAPTCHA verification process proving they’re a real human rather than a bot or doesn’t require a card verification value (CVV) – the three or four-digit code printed on the back of your card.
“Besides notifying the merchants, if we see a certain vulnerability, we’ll send out an intelligence alert,” Lane says.
Lane’s team also watches for evidence of virtual skimming, where a cybercriminal gains administrative privileges to an e-commerce site.
When her team identifies a compromised website, it provides the merchant with recommendations on how to fix it.
Meanwhile, Discover authenticates its cardholder transactions using a service called ProtectBuy. According to Discover, ProtectBuy uses a combination of factors to analyze customer behavior and assess transactions. It flags high-risk transactions and sends a one-time password to the cardholder to ensure the purchase is legitimate.
“It provides an additional layer of security so that both merchants and issuers can help mitigate CNP fraud risk and reduce chargebacks by validating the customer’s identity at the time of the transaction,” wrote a Discover representative in an emailed statement.
The card networks also offer their own customer verification products – including Verified by Visa, Mastercard SecureCode and American Express’s SafeKey – to consumers and merchants.
See related: Chip cards bring new fraud trends
Online merchants’ tools include address verification, asking for CVVs
E-commerce brands have several strategies available for identifying card-not-present fraud, including address verification.
“An address verification service (AVS) is an automated program that compares the billing address with the information on file at the credit card issuer,” says Steve Weisman, a lawyer and senior lecturer who teaches about white collar crime at Bentley University. “If it does not match, it can be an indication of fraud.”
Retailers should also require the customer to enter their card’s CVV during online checkout.
“It’s low tech, it’s easy to do and it’s going to be a good screener for much credit card fraud,” Weisman says.
However, requiring the CVV doesn’t prevent online fraud where the cybercriminal has possession of the physical card.
More sophisticated fraud prevention options include “software that monitors the location, device and IP address of the purchaser to make sure they match that of the card’s true owner,” Weisman adds. “Monitoring for purchases that do not comport with the purchase patterns of the true card owner is also helpful.”
This is why you might get a call from your credit card company when you use your card to make an atypically large purchase or order from an unusual location.
Purchase monitoring can cause headaches for online shoppers
However, monitoring can sometimes block legitimate purchases, too. For instance, if a traveler or digital nomad uses an American credit card to make an online purchase from a foreign IP address, the credit card company or the merchant will sometimes block that transaction as fraud. The same thing can happen if you order a gift delivered somewhere other than your billing address while surfing on a foreign IP address.
“Cross-border transactions have a higher risk profile and are going to be scrutinized,” Kount’s Bush says.
See related: Alerting issuers of travel plans may soon by obsolete
Retailers can set other parameters around fraud prevention, too, such as manually scrutinizing larger purchases or those made on certain devices. “I am probably not going to be planning my family vacation on my Xbox One,” Bush points out.
If the credit card company blocks the transaction, the consumer can call the company and explain that it’s a legitimate charge. However, if the merchant blocks it, the consumer might get a confirmation email, but never get the item ordered. When merchants suspect fraud, they sometimes call the consumer to verify. But often they’ll just cancel it without checking with or notifying the consumer if they decide the transaction isn’t worth the trouble, according to Weisman.
Everything moves faster on mobile
With the growth of mobile commerce, online transactions are faster and customers’ expectations are higher than in the past, says Bush.
“Twenty years ago, you could get online and you could search with your Netscape browser, buy a book from Amazon and you could set up electronic payment,” Bush said. “Then we had the emergence of mobile, where everything is fast and the demand of the customer experience is increasing.”
Card companies have sophisticated methods of thwarting cybercriminals, but the shift to mobile – and the potential for lost revenue due to identity theft – puts the onus on merchants to step up in the battle against fraud.
“The last piece is fraud,” he says. “If I’m behind the eight ball [as a merchant], I may have losses higher than I want. There’s a big flux going on right now in several areas so merchants really need to do their homework.”